Routing back to Direct Access Clients - is this possible?

Hi,
We have been using direct access for the past few months successfully, however the one problem we are still having is we can't use programs that require a route back to the Direct Access client (such as managing a Hyper-V machine on the local lan), using SourceOffsite
or even using Remote Desktop to remote onto a direct access client or ping the direct access client.
Our local LAN uses Ipv4 and we can route fine to the Direct Access clients from the Direct Access Server where the tunnel terminates but not from any other machine on the network. Do I need to change the direct access configuration to allow this or do I need
to somehow create a route on my LAN for the direct access clients?
Thanks in advance
David

I found out how to do this in this useful article and tested it and it is working fine - thanks.
http://www.packtpub.com/article/configuring-manage-out-to-directaccess-clients

Similar Messages

  • WIndows 8.1 Direct Access Client Needs to approve external wifi use before it connects - proxy not responding

    Ok So I have windows 8.1 with Direct Access Client and it works fine when I am able to check and uncheck proxy settings - which is a bit of a pain and seems unnecessary (I hope). If I take the laptop to a Starbucks I get the error that the proxy server is
    not responding so it never redirects for me to "accept" the rules.
    If I uncheck my proxy settings it then redirects and connects to their internet wifi and off I go - DA connects and all is well.
    I am using a GPO to configure the proxy settings as shown (all options are greyed out for the users)

    Hi,
    Your problem is a classic one when using that kind of proxy settings, unfortunately.
    To solve this without the need of user interaction, there are two solutions that will sort this out for you. In your case, if you want to use your corporate connection for internet traffic even over da, I'd opt for alternative 1 or 2 depending on what you are
    trying to achieve.
    1. WPAD (Web Proxy Auto Discovery protocol http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) - it actually uses the Automatic browser configuration checkbox on your client and looks for the file wpad.dat on a specific web server that you Pointout
    with either dns-record called wpad or DHCP option 252.
    2. Auto configuration script (pac script http://en.wikipedia.org/wiki/Proxy_auto-config) - uses the same kind of file as above. The difference is that you get the possiblity, like you want in your scenario to target what users that should get the script.
    See this below article for more details on the options you have.
    http://technet.microsoft.com/en-us/library/dd361918.aspx
    http://techlib.barracuda.com/display/WSFLEXv41/How+to+Configure+Proxy+Settings+Using+Group+Policy+Management
    Let us know if you need further assistance!
    /Johan
    MCT | MCSE: Private Cloud/Server, Desktop Infrastructure

  • Windows Server 2012 - Direct Access clients and the Windows 8 firewall

    Hi,
    We're running a simple proof-of-concept for Server 2012 Direct Access, we have a single DA server behind a firewall using NAT. We have a number of client devices setup for DA and running Windows 8.
    Our issue is that we can only get the Windows 8 direct access clients to connect (when outside the corporate network) and work with the windows firewall disabled (public network profile). 
    With the windows firewall disabled everything works exactly as expected. When outside the corporate network the client detects the network state (public network profile), connects via DA and all internal resources can be accessed successfully...fantastic.
    Is there some specific guidance on manually configuring the windows 8 firewall for Direct Access ? We've tried the obvious TCP:443 with edge traversal enabled but without success.
    Much of the information we have found relates to UAG rather than Windows 2012 DA.
    Any assistance is appreciated.

    Hi,
    There isn’t any specific configuration on the firewall.
    Just confirm that port 443 can be forwarded to DirectAccess server.
    Of course, make sure you are using IPsec first.
    Check the links:
    STEP 6: Test DirectAccess Client Connectivity from Behind a NAT Device
    http://technet.microsoft.com/en-us/library/hh831524.aspx#TeredoCLIENT1
    DirectAccess for Windows Server 2012 Installation & Configuration Guide
    http://syscomlab.blog.com/2012/09/directaccess-for-windows-server-2012-guide/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • I have an ipad and iphone sharing icloud.  The ipad is using 268mb, the iphone 2.6.  My plan is 5gb but it keeps saying I don't have enough space to back them up.  How is this possible?

    I have an ipad and iphone sharing icloud.  The ipad is using 268mb, the iphone 2.6.  My plan is 5gb but it keeps saying I don't have enough space to back them up.  How is this possible?

    Hey sameyrs2,
    Thanks for the question. Based on what you stated, it seems like you are getting a message when trying to backup to iCloud. I would recommend that you read these articles, they may be helpful in troubleshooting your issue.
    iCloud: Understanding Backup alert messages
    Manage your iCloud storage
    Thanks for using Apple Support Communities.
    Cheers,
    Mario

  • Cannot connect to direct access clients from management servers

    I have direct access setup on a Server 2012 machine and I have successfully added clients to it.  Clients can reach internal resources and everything seems to be working great inbound.  However, I am having some trouble with outbound management.
     From the Direct Access server I can ping, RDP, browse files, etc... From the management server I have defined in the DA setup I can only ping the machines and nothing else.
    I had worked with some MS tech support to get to this point, and they had me configure my DA server and the few management server with status IPv6 addresses.  I'm not sure if this is necessary or if outbound managment should work using ISATAP?
    My DA server is Server 2012, and the clients are Windows 8 and Windows 8.1.

    You should be able to make outbound management work using either ISATAP or native IPv6. If you have configured native IPv6 and it's not working, there may be some kind of routing issue with the way that IPv6 is setup in your environment, or even a piece
    of networking equipment that is not IPv6 capable.
    If you're interested in trying the ISATAP route to see if you can get it working that way, Chapter 3 in this is dedicated to the setting up of ISATAP: http://www.packtpub.com/microsoft-directaccess-best-practices-and-troubleshooting/book
    (sorry, not trying to be self-serving, but these kinds of questions are exactly the reason why I put the book together)

  • Direct Access client getting NameResolutionFailure error

    Hi,
    I'm trying to setup Direct Access on a Windows 2012 R2 server and I'm running into what is hopefully a pretty easy problem to resolve.
    I've followed the instructions to setup a simple setup for DA on a Windows 2012 R2 server with everything all on one server and I'm running behind a TMG 2010 server.  On the TMG server I've published the my DA server using a server publishing rule
    based on these instructions
    http://danstoncloud.com/blogs/simplebydesign/archive/2013/04/04/tmg-can-be-a-good-friend-of-directaccess.aspx
    The setup seems pretty straight forward, but now when I'm testing my clients I'm getting the NameResolutionFailure error when I try and connect when I'm not on our internal network.
    The problem I'm pretty sure is DNS related because when my test Windows 8.1 client is on our internal network everything works fine. 
    When I plug the machine into an external network, I get the NameResolutionFailure error for the DA client. If I try and ping anything address on our domain name I get an error that the address is unresolvable.  I can ping any other domain name address fine.
    On my DA server, on the DNS tab of the Infrastructure Server setup I have the following entries:
    mydomain.com              fdf3:137e:5133:ce07:1000::127
    directaccess.mydomain.com
    DirectAccess-NLS.mydomain.com
    directaccess.mydomain.com is the publicly resolvable name of my DA 2012 R2 server that is bound the external IP address published on my TMG 2010 server.  This name is not resolvable when on any internal machines.
    If I execute the get-DNSClientNRPTPolicy command I get this:
    Namespace                        : DirectAccess-NLS.mydomain.com
    QueryPolicy                      :
    SecureNameQueryFallback          :
    DirectAccessIPsecCARestriction   :
    DirectAccessProxyName            :
    DirectAccessDnsServers           :
    DirectAccessEnabled              :
    DirectAccessProxyType            : UseDefault
    DirectAccessQueryIPsecEncryption :
    DirectAccessQueryIPsecRequired   : False
    NameServers                      :
    DnsSecIPsecCARestriction         :
    DnsSecQueryIPsecEncryption       :
    DnsSecQueryIPsecRequired         : False
    DnsSecValidationRequired         : False
    NameEncoding                     : Utf8WithoutMapping
    Namespace                        : directaccess.mydomain.com
    QueryPolicy                      :
    SecureNameQueryFallback          :
    DirectAccessIPsecCARestriction   :
    DirectAccessProxyName            :
    DirectAccessDnsServers           :
    DirectAccessEnabled              :
    DirectAccessProxyType            : UseDefault
    DirectAccessQueryIPsecEncryption :
    DirectAccessQueryIPsecRequired   : False
    NameServers                      :
    DnsSecIPsecCARestriction         :
    DnsSecQueryIPsecEncryption       :
    DnsSecQueryIPsecRequired         : False
    DnsSecValidationRequired         : False
    NameEncoding                     : Utf8WithoutMapping
    Namespace                        : .mydomain.com
    QueryPolicy                      :
    SecureNameQueryFallback          :
    DirectAccessIPsecCARestriction   :
    DirectAccessProxyName            :
    DirectAccessDnsServers           : fdf3:137e:5133:ce07:1000::127
    DirectAccessEnabled              :
    DirectAccessProxyType            : NoProxy
    DirectAccessQueryIPsecEncryption :
    DirectAccessQueryIPsecRequired   : False
    NameServers                      :
    DnsSecIPsecCARestriction         :
    DnsSecQueryIPsecEncryption       :
    DnsSecQueryIPsecRequired         : False
    DnsSecValidationRequired         : False
    NameEncoding                     : Utf8WithoutMapping
    So I'm thinking that the issue is related to the fact that the NRPT table says that directaccess.mydomain.com address there is no DNS specified.  In fact it seems like that entry shouldn't even be there.  When I was configuring DA for the first
    time, I got a warning that said:
    Warning: The NRPT entry for the DNS suffix .serverdomain.local contains the public name used by client computers to connect to the Remote Access server. Add the name Servername.serverdomain.local as an exemption in the NRPT.
    I wasn't sure what this meant at the time but I'm guessing it's relevant to this problem.
    Can some one give some help with this?
    Thanks in advance
    Nick

    Hi,
    So here is what I did.  First the IP information from my DA server IPHTTPS address from ipconfig /all
    Tunnel adapter IPHTTPSInterface:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : IPHTTPSInterface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::1(Preferred)
       IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000::2(Preferred)
       IPv6 Address. . . . . . . . . . . : fdfd:1374:5130:1000:2400:8f5a:a931:1ff8(Preferred)
       Link-local IPv6 Address . . . . . : fe80::2400:8f5a:a931:1ff8%17(Preferred)
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 436207616
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-4F-8E-38-00-15-5D-00-96-05
       NetBIOS over Tcpip. . . . . . . . : Disabled
    So the address of my IPHTTPS address appears to be -S using this address as the source and going to an internal machine with an IPV6 address and got this:
    tracert -S fdfd:1374:5130:1000:2400:8f5a:a931:1ff8 testserver
    Tracing route to testserver.mydomain.com [fdfd:1374:5130:ce07:1000::220]
    over a maximum of 30 hops:
      1    <1 ms    <1 ms    <1 ms  daserver.mydomain.com [fdfd:1374:5130:1000:2400:8f5a:a931:1ff8]
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.
      4     *        *        *     Request timed out.
      5     *        *        *     Request timed out.
      6     *        *        *     Request timed out.
      7     *        *        *     Request timed out.
      8     *        *        *     Request timed out.
      9     *        *        *     Request timed out.
     10     *        *        *     Request timed out.
     11     *        *        *     Request timed out.
     12     *        *        *     Request timed out.
     13     *        *        *     Request timed out.
     14 
    So it looks like from the IPHTTPS address I can't get to any internal IPV6 addresses on my internal IPV6 network I think right?  I did a route print on the DA server and got this:
    ===========================================================================
    Interface List
     12...00 15 5d 00 96 05 ......Microsoft Hyper-V Network Adapter
      1...........................Software Loopback Interface 1
     14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
     17...00 00 00 00 00 00 00 e0 IPHTTPSInterface
    ===========================================================================
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      172.16.0.21     172.16.0.127    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.16.0.0    255.255.240.0         On-link      172.16.0.127    261
         172.16.0.127  255.255.255.255         On-link      172.16.0.127    261
        172.16.15.255  255.255.255.255         On-link      172.16.0.127    261
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link      172.16.0.127    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link      172.16.0.127    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      172.16.0.21  Default
    ===========================================================================
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
     12    261 ::/0                     fdfd:1374:5130:ce07:1000::21
      1    306 ::1/128                  On-link
     12   4205 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
     17    306 fdfd:1374:5130:1000::/64 On-link
     17    306 fdfd:1374:5130:1000::/128  On-link
     17    306 fdfd:1374:5130:1000::1/128      On-link
     17    306 fdfd:1374:5130:1000::2/128      On-link
     17    306 fdfd:1374:5130:1000:2400:8f5a:a931:1ff8/128        On-link
     12    261 fdfd:1374:5130:7777::/96 On-link
     12    261 fdfd:1374:5130:ce07::/64 On-link
     12    261 fdfd:1374:5130:ce07:1000::127/128                    On-link
     12    261 fdfd:1374:5130:ce07:6b8c:21b9:52b4:e7c5/128    On-link
     12    261 fe80::/64                On-link
     17    306 fe80::/64                On-link
     17    306 fe80::2400:8f5a:a931:1ff8/128              On-link
     12    261 fe80::e00f:6c15:fde4:6491/128           On-link
      1    306 ff00::/8                 On-link
     12    261 ff00::/8                 On-link
     17    306 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
     If Metric Network Destination      Gateway
      0 4294967295 fdfd:1374:5130:1000::/64 On-link
      0   4200 fdfd:1374:5130::/48      fdfd:1374:5130:ce07:1000::21
      0    256 fdfd:1374:5130:ce07::/64 On-link
      0 4294967295 fdfd:1374:5130:7777::/96 On-link
      0 4294967295 ::/0                     fdfd:1374:5130:ce07:1000::21
    ===========================================================================
    Am I missing a route here?
    Thanks

  • Routing Issue for Remote Access Clients over Site to Site VPN tunnels

    I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

    Patrick, that was indeed true for a long time.
    But now it is fixed in PIX and ASA version 7.x.
    Please refer to this document for details:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  • Cannot apply Direct Access Client GPO on Windows 8.1 Enterprise client

    Hi, I have made a Direct Access environment on Windows Server 2012 R2 Essential.
    All setting seems to be ok, but i'm completely stuck when i have to export the DA client GPO to the client computer.
    The client computer is a Win8.1 Enterprise, already joined to the domain.
    When execute the command gpupdate /force, it complete successfully but when i do a gpresult /R i have nothing in the "Applied Group Policy Object" field (N/A) while i should have the Default domain GPO and the DA client GPO.
    What is wrong at this state ?
    Thanks

    My user1 is in the "DirectAccess" group.
    In all the tutorial i saw, i have never seen you have to add the computer object to this group but only the user.
    Anyway, i have just add it to the group.
    From my first post, here is what i did.
    ran a Group Policy Result, from the DC to the client. 
    It give me the error RPC unavailable. 
    So i open the local policies on the client > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall >
    Domain Profile > double click on "Windows Firewall: Allow inbound remote administration exception" > tick enable 
    I reran the Group Policy Results, and it work this time. 
    Now i have the result for the User1 on TECH2 client pc. 
    On details pane > Denied GPOs 
    The DA client setting is deny with the reason "access denied" ...
    Now on the client computer after a GPRESULT /R
    Computer settings
    Applied Group Policy Object
    Default Domain Policy
    Local Group Policy
    The following GPOs were not applied because they were filtered out
    DirectAccess Client Setting
    Filtering: Denied (Security)
    DirectAccess Server Settings
    Filtering: Denied (Security)  -> normal

  • Direct Access client DNS Registration q.

    Hi All,
    We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
    All internal resources are accessible and have good name resolution, etc.
    However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
    There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    I have enable "secure only" DNS registration by Group Policy.
    We use split tunneling for clients.
    The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
    Many thanks for any assistance in pointing me in the right direction.

    Hi,
    >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    Did you deploy the IPv6 in your corpnet? If no, it's normal.
    If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
    server will on behalf of the client to register the AAAA record.
    Best Regards.
    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Win8.1 Direct Access Client Stuck at "Connecting"

    I'm experimenting with Direct Access in a lab setting with 1 client and 3 2012 R2 servers. The client is running Windows 8.1 Enterprise.
    The client is always able to connect to the Direct Access server but is unable to ping or connect to the 2 servers that don't have RAS installed. Moreover, this behavior migrates to whichever server is running Remote Access Server: So, if I remove the role
    and install on another server, the client is able to communicate with the new server, but not the old.
    The connection from the client to the server is via IP-HTTPS (only option available to me in this environment). The client is able to reliably determine when it's on the Internet versus the intranet. However, when on the Internet, it stays in a "Connecting"
    state and never connects, but I'm still able to access the DA server.
    Does anyone have any ideas on how to resolve this?

     I managed to resolve the issue. I'm posting here in the hope that this may help another newbie to DA.
    Here's what caused my issue: As I mentioned, this was a lab environment where the limited number of machines were fulfilling multiple roles. In particular, the DA Server was also a backup domain controller running DNS. In my research, I came across a comment
    on http://directaccessguide.com that mentioned that the DA Server runs DNS64 to support clients; that made me suspicious that the regular DNS server was in some way conflicting. And, in fact, before this server was
    made a backup DC, DA was functioning just fine. Removing the backup DC role resolved the issue.
    So the takeaway is this: Don't run the regular DNS service on the DA Server; if you do, you will get DA client connectivity only to the DA Server.

  • I want to save my music library in the cloud /iTunes Match, but want both my wife's devices and mine to have access. Is this possible, and what's the best way to do this?

    Hi all,
    Can I store my iTunes file in the cloud, so that my wife and I can access it from various devices.
    Devices would include 2 iPhone 6S, 2 iPad2s, couple of iPods and a MacBook Air.
    We can't save all the music to a hard drive due to storage size.
    If we save it to the Cloud, can we create playlists and only download these as /when we need them?
    Thanks in advance,
    Ed

    Hi,
    Your music needs to be in your iTunes library on your computer or on an external drive. Read this user topic Make and keep a backup of your iTunes library, and only stream from the cloud.
    You can only use one Apple ID with match. For your wife to get access to your music in the cloud, you will need to use your Apple ID
    Subscribe to iTunes Match - Apple Support
    Manage your associated devices in iTunes - Apple Support
    Jim

  • Upon receipt of my computer after being restored from multiple virusesand re-downloading itunes, I see that my playlists have been deleted.  I however still have them on my touch and would like to sync them back into my PC.  Is this possible?

    Upon the return of a viruse stricken PC and re-downloading itunes.  I noticed my playlists have been deleted.  I however still have the playlists on my touch.  Is it possible to sync my playlists back to my PC?

    Recovering your iTunes library from your iPod or iOS device: Apple Support Communities

  • Direct Access is working but how do I configure it for remote services, client management software, etc..

    Good morning/afternoon/evening TechNet,
    I've finally gotten a DA client connected to the corporate network utilizing an external network. I'm having a couple issues, one, not being able to ping the server from a computer that's on the same domain(I'm able to ping the DA client from the DA server).
    I'm not sure if there is a firewall setting that needs to be open on the client for incoming echo requests? Second, we use a client management system called BMC and I would like the direct access server to be able to utilize the BMC server so that I can manage
    the DA client whenever its on the network. I noticed on the DA server that "Step 3" offers an area where it allows you to add servers that will be used for direct access client management. Would I just need to populate the server in here and then
    open appropriate firewall rules so that the DA server has access to them? Lastly, Trying to "mstsc" into the DA client what would I need to open up on both sides so that I'm able to do this?
    Sorry about the horrible grammar but I've been up 24+ hours getting this awesome but pain in the butt Direct Access feature working.
    Thank you as always!
    -Liqsh0t

    I'm afraid it's a bit more complicated than adding a server into the list in Step 3 :)
    When a DirectAccess client is connecting into a corporate network that is IPv4 (I assume yours is, most are), it can reach into your IPv4 servers because the DA server is doing NAT64/DNS64 translations, turning all of your DirectAccess IPv6 packets into
    IPv4 packets before they head inside the network. But even though this happens in the background without you really knowing about it, the key thing there is that all DirectAccess traffic is IPv6. This means the clients can only be contacted via IPv6. If you
    have IPv6 inside your network, then you can route outbound fairly easily to your DA client computers. If you are all IPv4 inside as most companies are, then you have to either roll IPv6 out inside your network, at least partially, or you have to utilize ISATAP
    inside your network in order to create a sort of "virtual IPv6 cloud" that runs on top of your IPv4 internal network. This enables your internal management systems (like the BMC servers and helpdesk computers for RDP access outbound) to have a connection
    into the IPv6 world, which then enables them some routing capability to get out to the IPv6-connected DA clients. In addition to this IPv6 or ISATAP setup, you also need to configure WFAS rules on the DA clients so that they will allow this traffic.
    There is some info on setting up ISATAP here: http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx
    Otherwise one of the chapters in this book is also dedicated to the setup of a selective ISATAP environment, to be used for the purposes of DirectAccess outward management: https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting

  • Server 2012 Direct Access Single NIC cant get it to work

    Hi,
    I am having some real issues with setting up Direct Access with Server 2012 and a Windows 8 client, it simply won’t work at all.
    First of all I should describe my setup:
    I have an internet connection with a static IPv4 address on the external network adapter of the router
    The internal network address (the address of the router which has the internet connection) is 192.168.1.1
    Server1 (windows 2008 R2 Standard) has a static IPv4 address 192.168.1.2 and has some ports forwarded from the router (443, 25, 80) this server is a domain controller, email server, and has the DNS, DHCP and
    certificate services
    Server 2 (Windows 2008 R2 standard) has static IPv4 address 192.168.1.3 it has no ports forwarded from the router as it has no services accessed externally, it is used as a file server and print server, backup
    domain controller and backup DNS.
    Server 3 (Windows 2012) has static IPv4 address 192.168.1.4 and has the Remote Access server role installed along with all the other default features and roles it requires in the setup process.
    These servers have all got an IPv6 address which I assume the server has configured automatically, there has been no deliberate configurations made to disable IPv6
    I have no UAG or proxy server or anything else to route packets to internal servers. Just this router which has the option for port forwarding (I assume that’s NAT isn’t it?) sorry don’t know much about that
    area.
    I go through the setup wizard in remote access to configure direct access, in the external URL I have entered da.mydomain.com and created a host A record in my external domain name providers DNS which points
    the da record to my external IP address. The wizard creates all the GPO’s, scoped correctly, and applied to a Windows 8 client. The operational status shows its all working and I got green ticks. However, when I connect the client to the internal network it
    doesn’t seem to have correctly got the DA settings. I run the following in powershell
    Get-DnsClientNrptPolicy
    Nothing displays – at all
    Get-NCSIPolicyConfiguration
    Description                   
    : NCSI Configuration
    CorporateDNSProbeHostAddress  
    : fdd8:dd4a:ea42:7777::7f00:1
    CorporateDNSProbeHostName     
    : directaccess-corpConnectivityHost.mydomain.local
    CorporateSitePrefixList       
    : {fdd8:dd4a:ea42:1::/64, fdd8:dd4a:ea42:7777::/96, fdd8:dd4a:ea42:1000::1/128,
    fdd8:dd4a:ea42:1000::2/128}
    CorporateWebsiteProbeURL      
    : http://directaccess-WebProbeHost.mydomain.local
    DomainLocationDeterminationURL : https://DirectAccess-NLS.mydomain.local:62000/insideoutside
    Get-DAConnectionStatus
    Get-DAConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
    At line:1 char:1
    + Get-DAConnectionStatus
    + ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo         
    : NotSpecified: (MSFT_DAConnectionStatus:root/StandardCi...onnectionStatus) [Get-DAConnect
       ionStatus], CimException
    + FullyQualifiedErrorId : Windows System Error 1753,Get-DAConnectionStatus
    I go into services.msc and find that the network connectivity assistant is not started, it wont start either something must trigger it but I have no idea how to get it triggered to start… this might be my only
    source of problem perhaps but on a more network level question:
    If I have such ports as 80, and 443 (which I assume DA uses in some form with a public IPv4 internet address) directed at server 1, how does the DA connection get to server 3 which has the DA role installed?
    I could create another record on the server which also opens port 443 to server as well as for server 1, but then how would the router know which server to pass the DA connection to if the same port is open for two different servers?
    Either way, this first issue is that the client doesn’t seem to have the ability to connect internally correctly yet, so maybe this connectivity service is a good place to start? My understanding is that the
    networks icon in the system tray should show that there is a corporate connection, but it doesn’t. also, the client seems to have the NLS certificate in the computer certificate store, so the cert side of things is working and the GPO side is working.
    Many thanks
    Steve

    ahh i see, so just to enlighten me even further...
    If a company has two web servers that would mean they would need two different public facing IP addresses so they can route to each internal web server. If, like the big companies have, they
    may have many web servers (possibly more than 100) I’m assuming that simply buying more public IP addresses would have a limit, especially since the IPv4 address space is pretty much exhausted. So is this where proxy systems come into play like ISA and Forefront,
    is this what they do?
    I assume if such a product was implemented you could go down to just one or two public IP addresses, point all traffic to the ISA server and that in turn would do all the routing of packets
    to each server behind the NAT/router (probably based on some sort of domain name or sub domain namespace as it’s parameter for forwarding?)
    Secondly, what I have done is installed windows server 2012 and used that as a direct access client (I read on another forum that the windows 8 RP doesn’t have the enterprise bits to make this
    work). I have got much further with the 2012 server acting as a client (installed on laptop, installed desktop experience and wireless LAN), 
    but when I run the following command on my DA client I get the following status
    Get-DAConnectionStatus
    Status:                 
    connectedlocally
    Substatus:          
    none
    This appears to work fine, when im connected to the local network. But then I disconnect and run the command again and I get the following:
    Status:                 
    Error
    Substatus:          
    NameResolutionFailure
    On my router what I did is temporarily disable port 443 going to my original server and instead opened it up pointing to my other server, so 443 traffic should be going to my DA server now, but I don’t understand why its giving the name resolution failure
    status. I have a host A record called “da” with my domain hoster, and entered the full domain namespace in the DA wizard as da.mydomain.com (the Host A record has been up there for more than a week so it’s propagated through the net)
    So, a bit further but stuck again.

  • Direct Access Migration of Root CA

    We have a Domain Controller "DC01" which has the Enterprise Certificate Services role installed and the CA on this Domain Controller is named "DC01"
    The CDP location on the CA "DC01" is <servername> so effectively it's LDAP://DC01 (only LDAP is published on the certificates, no http etc.)
    The CA "DC01" issues the version1 "Computer" certificates with AutoEnrollment to all clients and all our internal clients and external clients have a "Computer" certificate from CA "DC01"
    Now we have an UAG SP3 server with Direct Access and all our clients connect successfull with Direct Access as it's setup now
    In the UAG configuration (wizard) on the IPsec Certificate Authentication screen on the option "Use a certificate from a trusted root CA" the "DC01" Root CA certificate is selected
    As Microsoft best-practises we want to move the Enterprise Certificate Services to a new member server "CS01" and effectively create a new Root CA "CS01"
    As we use the version1 "Computer" certificate template we cannot select "reenroll all certificate holders"
    so idea is to duplicate the "Computer" certificate template as a v2 template that supersedes the version1 computer template, this effectively replaces all current Computer certificates based on the old v1 computer template on clients.
    Then all clients get a new "Computer" certificate from the new Root CA but in the UAG Direct Access configuration the "IPsec Certificate Authentication" "Use a certificate from a trusted root CA" the old "DC01" Root CA
    certificate is still selected
    Question1; will this lock out clients that have a new Computer certificate from the new Root CA but the UAG Direct Access configuration still use the Root CA certificate from the old DC01 CA?
    Another idea is NOT to supersede the the version1 Computer certificate but AutoEnroll the new v2 duplicated Computer template.
    This means that clients will have a Computer certificate from the old CA "DC01" but also a Computer certificate from the new CA "CS1"
    Question2; can a client have 2 computer certificates (1 from old DC01 ca and 1 from new CS01 ca) and connect Direct Access and will this still work?

    Yes, the clients will still connect with two different certificates. I haven't had your exact situation before, but I have had to deal with a CA server that died, and we had to replace it with a new one. We stood up a new CA, issued "Computer"
    certificates again from the new CA (the old certs still existed on all the client computers) - and then switched the UAG settings over to the new root CA. This worked.
    I do recommend deleting the old certificates from the client computers if possible, so that there is no potential for conflict down the road, but the above scenario worked fine for us and I have also worked with numerous companies that have multiple machine-type
    certificates on their client computers and as long as they have one which meets the DA criteria and chains up to the CA that is active in the UAG config, it'll build tunnels.

Maybe you are looking for

  • I have a problem, Installation failed

    PLease help this is my problem Installation Failed Your installation encountered errors. The error summary file may help you identify the issue More troubleshooting tps: 1. Restart your computer. 2. Exit all aplications incluiding startup items, viru

  • Can't stop sounds embbed in movieclips timelines

    Hello i have a big problem. I searched everywhere but no  answer.i have a main Movie containing many movieclips with sound  atttached in their timeline. When i change to a different frame from my  main movie ( Main Timeline) the sound from my old mov

  • Error: "No tab group defined for launch configuration type "

    Hi, When i try to run my application its showing an error, <b>No tab group defined for launch configuration type com.sap.ide.webdynpro.projectbrowser.launch.configtype</b> but when i run my application by rightclicking  on my application its working,

  • Line Upgrade - do I now need a Version 2.00 Hub ?

    We have the BT Employee package and have had it for some years.  We also still have the Version 1.0 Hub which is becoming a little flakey and we received an email the other day to say our line is to be upgraded this week.  I've seen some comments abo

  • Accessing resource files inside Jar using Fat Jar Eclipse plugin

    Hi, I want to develop single JAR file that uses a set of other JAR libraries. I am using Fat Jar Eclipse plugin. It works fine. However, I have problem to access resources files (i.e. rdf file) using relative path from my classes. Is there any idea h